PIX Filrewall VPN

60 pts.
Tags:
Cisco
I'm in kind of a tight spot as far as network admins go. We have a Cisco router that is controlled by our ISP and the firewall was setup by a third party. We have sites connecting thru VPN to our HQ. Some are static and some are dynamic. We also have a need to have VPN clients connect and look at resources on the inside network. We are using MS (XP Pro & 2000) VPN clients. Our PIX 515 firewall is providing VPN connectivity. Clients can connect and are authenticated, but cannot get to resources such as files, mappings and VNC. It seems there is no authorization to get to the internal network. I checked the PIX settings and it shows that AAA is done locally to the firewall. There is no external Radius or NT authorization servers listed. Could the access lists be denying VPN access internally? Could the router, that I can't even get into, be blocking GRE, port 1723 or some other port even though I can get authenticated at the firewall? If I can get some direction on where to start looking, it would be very helpful. Thanks, Vince
ASKED: November 17, 2005  10:14 AM
UPDATED: November 21, 2005  9:36 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Try turning logging on the pix box and log at the debug level. Then type Term Mon that should put the log to your screen. then have your remote user try to connect via VPN and see if there are any errors showing up.

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    Vince: Are your clients getting the right IPs to connect to your net? What can the client ping when it is connected? I don't expect the problem to be within the external router but there may be routing or filtering issues for the IPs given to the clients. When we first added a real firewall I discovered that some of the rudimentary filtering in the old architecture was breaking some standard microsoft connectivity. We also were unable to get TCP encapsulation to work. UDP encapsulation works fine. Another option you may want to investigate after you get this fixed is to use the internal domain controllers as radius servers to manage user connections. This has worked well for us. I can now connect from outside using my domain account, use remote desktop to log in to any server, and even manage the pix from the server. rt
    15 pointsBadges:
    report
  • Vdinenna
    Thanks for your quick replys! I will try the logging. I am using the PIX Device Manager 3.0, because I'm not proficient with the CLI yet. When I connect to the PIX, I cannot PING anything, neither DNS or IP. The PIX gives out a class A private network address to the client. It also gives out the internal DNS server IPs- which is funny, 'cause the internal DNS servers are class C. Would NAT translate these 10.1.100.x IPs to the private network? Thanks, Vince
    60 pointsBadges:
    report
  • Wfenech
    a couple questions.... is this a new network setup, or is this an existing network that worked previously, but that has been modified? When you say "When I connect to the PIX, I cannot PING anything, neither DNS or IP", what do you mean by that? Do you mean that you cannot ping anything from the command line of the PIX, or do you mean that the clients, once connected to the PIX, cannot ping anything internal (behind the PIX itself)? Or? What type of VPN are you using? IPSec? You mentioned GRE. Why are you using GRE tunnels? Is this to route multicast traffic, such as Routing updates for a Routing protocol like OSPF or EIGRP?
    0 pointsBadges:
    report
  • Vdinenna
    It might be easier if I sent you the config, but... We have site to site tunnels that work fine. We have both static and dynamic VPN connections from multiple sites. These sites, I believe, use DES. The remote (MS) VPN clients are connecting thru PPTP. -Sysopt connection premit-pptp is estabilshed -Vpdn group PPTP has been created; usernames were created. When I say, "I can't PING anything , DNS or IP", I mean when I'm connect the VPN tunnel thru the VPN client to the PIX. Once I'm authenticated, I can't PING 192.168.1.x or server.domain.com. I can't PING any addresses on the inside network. I can PING the gateway and firewall inside and outside addresses. We are not using GRE.
    60 pointsBadges:
    report
  • Wfenech
    are the machines that the MS clients are trying to ping/access on a separate (internal) network or subnet than the 'working' VPN connections?
    0 pointsBadges:
    report
  • Vdinenna
    The VPN clients are getting 10.1.100.x 255.255.255.128 addresses from the PIX 515. The network inside the FW is 192.168.1.x. The working VPN connections' are 192.168.x.x. 255.255.255.0
    60 pointsBadges:
    report
  • Astronomer
    It sounds to me like you don't have an appropriate pool of addresses set up in the pix. When I set ours up I took addresses from the network the inner interface was connected to. When a client connects it is given one of these addresses so it can communicate with the internal net. rt
    15 pointsBadges:
    report
  • Craiglucca
    Aside from ping can you pass any traffic at all. Also, can you traceroute from either the remote end or your internal network? 2 things come to mind 1 a routing issue, where your network does not know how to reply to the host. 2 a possible mtu issue between the client and the pix, which would effect packets between the 2 points. As mentioned in your previous post a config would be helpful
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following